What do things look like on the outside? That’s the main focus we have as human beings. But beauty is only skin deep. As with relationships and leaked NSA documents, we quickly discover that what’s on the inside is just as, if not more, important. It’s often not very pretty. This is especially true for web application security.

Such internal sites are often ripe for attack and abuse in large part because they’re not adequately tested. That’s been my experience at least. The scoping of an internal security assessment often bypasses these critical systems housing intellectual property, credit card information, and protected health information. The belief is “They’ll be okay, our employees will do the right thing.”

Interestingly, I often finding the largest number of critical vulnerabilities on internal-facing web applications. Things like:

They’re run-of-the-mill web flaws; but the difference with them being in the internal web environment is that odds are no one’s watching for malicious use. Textbook case of you cannot secure what you don’t acknowledge.

A web vulnerability exploited on the internal network looks like nothing more than trusted transactions. That is unless you’re inspecting SSL and specific application workflows and database accesses for malicious behavior. But what’s that saying: Ain’t nobody got time for that. At least none of the IT managers, admins, and developers I speak with have that kind of time. Even a well-tuned WAF can create a serious false sense of security. But how many businesses are running one of those internally? Not many.

Likewise, internal audit controls, server patching, system hardening – you name it, can all be neglected when systems are inside the “trusted” realm being accessed by only “trusted” users (as far as you know).

Never forget that just because someone has access to an internal web application doesn’t mean they need access. Likewise, in the case of Snowden, just because someone has passed a background check, obtained a security clearance, or has good references doesn’t mean he or she is not capable of doing harm.